The present invention relates to a contents transmission control method (protocol) that permits fast password-based authentications using small-scale programs to realize secure contents transmission in the Internet, which is vulnerable to wiretap and hence does not provide adequate security of information. The invention also pertains to a recording medium with the method recorded thereon.
As Internet penetration increases, it becomes indispensable to authenticate the capacity of communication partners or users in communications. To meet this requirement, there have been proposed a wide variety of authentication methods, which fall roughly into the categories of those using public-key cryptosystems and those using common-key cryptosystems.
The method employing the public-key cryptosystem has, an excellent authentication ability and is expected to be applied to electronic transactions or the like. However, because of a long execution time and a large program size, the area of its application is limited in integration into a terminal of poor processing ability, such as a PDA (Personal Digital Assistant: a portable terminal) and communication protocols related to the Internet.
As a solution to this problem, it is customary in the art to use a method that utilizes the common-key cryptosystem capable of far faster processing than the public-key cryptosystem, but a password-based authentication method is particularly popular for application to the above-mentioned areas.
The basic password authentication procedure is as follows:
First, the prover registers his password with the verifier. At the authentication time, the prover transmits his password to the verifier. The verifier compares the received password with the registered one.
This method has such problems as listed below.
(a) The password may be stolen by visual access to the password file.
(b) The password may be stolen by a wiretap on the communication line.
(c) The prover is required disclose secret information, i.e., the password, to the verifier.
One possible method that has been proposed to solve problem (a) is a method according to which the prover applies a one-way function to his password and preregisters it with the verifier, and at authentication time the verifier applies the same one-way function to his received password and compares it with the preregistered password (A. Evans, W. Kantrowitz and E. Weiss, "A user authentication scheme not requiring secrecy in the computer," Commun. ACM, 17, 8, pp. 437-442 (1974) and R. Morris and K. Thompson, "Password security: A case history," UNIX Programmer's Manual, Seventh Edition, 2B (1979)).
The one-way function is a function for which there is no efficient means for recovering its input from its output except by checking inputs one by one; if the computational complexity for testing all the inputs involved is chosen to be exorbitantly large, it would be possible to exclude the possibility that an unauthorized person might compute the prover's input data and impersonate the prover. In general, one-way functions are obtainable by secret-key cryptosystems such as DES, FEAL and so forth. The secret-key cryptosystems apply a secret key to the input plaintext to obtain a ciphertext as the output; the secret key cannot be computed from the plaintext and the ciphertext. That is, the secret-key cryptosystems are designed such that the secret key cannot efficiently be obtained except by testing all the secret keys individually. Thus, by inputting the plaintext, a given parameter and a secret key to obtain the output ciphertext through the use of this scheme, a one-way function can be realized which is dependent on the robustness of the secret-key cryptosystem. Furthermore, the secret-key cryptosystems such as DES and FEAL have a feature that even if the plaintext or secret key input varies by one bit, the output can be obtained without the slightest trace of input variation.
As described above, the problem (a) of the basic password authentication method can be solved by the method using the one-way function. When applied to the Internet, which is vulnerable to wiretap, however, this method cannot fix problem (b). Moreover, as pointed out above concerning problem (c), this basic password authentication method is applicable to the authentication of bank customers but is not suitable for the authentication of users of the same level.
To correct such problems, there have been proposed a Lamport method (L.Lamport, "Password authentication with insecure communication," Commun. ACM, 24, 11, pp. 770-772 (1981)) and a CINON method (Chained One-Way Data Verification Method) that is a dynamic password authentication method proposed by the inventor of this application (A. Shimizu, "A Dynamic Password Authentication Method Using a One-Way Function," Systems and Computers in Japan, Vol. 22, 1991, pp. 32-40).
With the Lamport method, a one-way function is preapplied to the password a plurality of times and, for each authentication, data of the immediately preceding authentication session is presented to the verifier, by which authentication can be done a plurality of times. With this method, the initially set maximum number of authentication sessions is decremented by 1 upon each execution of authentication and when the preset number of authentication sessions is exhausted, the password must be reset. If the number of times the one-way function is applied is increased with a view to increasing the maximum number of authentication sessions, the amount of processing would inevitably increase. Another problem is that the prover's processing workload is too large in terms of its processing ability which is poor as compared to that of the verifier.
With the CINON method, for each authentication session, the prover (user) sends to the verifier (host) three pieces of data: data from which authenticated data registered after its validity check in the immediately previous authentication session is assumed to have originated, authenticated data for use in the authentication session after the next, and data for checking the validity of the data transmitted in the previous authentication session and for use in the next session. By this, it is possible to execute authentication sessions one after another while securely updating the authentication information.
A description will be given of the CINON authentication procedure. The notation used is described first, as follow:
&lt;Notation&gt;
The one-way transform by the secret-key cryptoalgorithm E is represented by C=E(P,K), where C is one-way transform data, P the plaintext, and K the secret key.
Let S represent the prover's secret information, that is, the password.
N is an integer equal to or greater than 0 and indicates the number of authentication sessions, i.e. the number of times authentication is executed.
Let A represent the prover's identifier, that is, the user ID such as a mail account (the part where information to the prover is stored).
Let N.sub.n represent a random number that is generated corresponding to the number of authentication sessions.
Let M.sub.n represent an authenticator.
.sym. represents an exclusive OR operation for each bit. Setting V.sub.n =E(A,S.sym.N.sub.n), W.sub.n =E(A,V.sub.n).
That is, W.sub.n is data resulting from a twice-applied one-way transform of S.sym.N.sub.n. The difficulty in counting back S, N.sub.n, or V.sub.n from W.sub.n is dependent on the strength or robustness of the secret-key cryptoalgorithm.
&lt;Authentication Procedure (See FIG. 1)&gt;
Initial Registration Processing
Step S0: The prover (user) performs initial registration processing with the verifier's device (a host device). Initially, the user generates random numbers N.sub.0 and N.sub.1 at the user terminal and sets the user identifier A and the password S. The user memorizes the password S and stores the random numbers N.sub.0 and N.sub.1 in his IC card or similar medium.
Next, W.sub.0, W.sub.1 and M.sub.0 are computed carrying out the following procedure: EQU V.sub.0 =E(A, S.sym.N.sub.0) EQU W.sub.0 =E(A, V.sub.0) EQU V.sub.1 =E(A, S.sym.N.sub.1) EQU W.sub.1 =E(A, V.sub.1) EQU M.sub.0 =E(W.sub.1, V.sub.0)
and they are registered with the verifier's device (the host device). in correspondence with the user identifier A. W.sub.0 is authenticated data for use in the next authentication session, W.sub.1 is authenticated data for use in the authentication session after the next, and M.sub.0 is data for checking the validity of W.sub.1.
Authentication Processing and Contents Data Exchange
Upon completion of the initial registration processing (n=0) the, n-th (n=1,2, . . . ) authentication processing is carried out as described below. At this point, W.sub.n-1, W.sub.n, and M.sub.n-1 and n are already registered in the verifier side in correspondence with the prover's identifier A.
Step S1: The user reads out random numbers N.sub.n-1, and N.sub.n from the IC card, then generates a new random number N.sub.n+1.
Step S2: The user computes V.sub.n-1, W.sub.n-1 and M.sub.n carrying out the following procedure: EQU V.sub.n-1 =E(A, S.sym.N.sub.n-1) EQU V.sub.n =E(A, S.sym.N.sub.n) EQU V.sub.n+1 =E(A, S.sym.N.sub.n+1) EQU W.sub.n+1 =E(A, V.sub.n+1) EQU M.sub.n =E(W.sub.n+1, V.sub.n)
Step S3: The user sends these pieces of data together with the user identifier A and a service request to the verifier.
V.sub.n-1 is data from which the data W.sub.n-1, submitted to a validity check at the verifier side in the previous session and for use in the current authentication session, is assumed to have originated. W.sub.n+1 is data for use in the authentication after the next session. M.sub.n is data for checking, in the next authentication session, the validity of the authenticated data W.sub.n+1 that is used in the session after the next.
Step S4: The user updates the random numbers N.sub.n-1 and N.sub.n of the IC card with N.sub.n and N.sub.n+1.
Step S5: Next, the host device performs the following authentication processing by the use of V.sub.n-1, W.sub.n+1 and M.sub.n sent from the prover.
W.sub.n-1 is compared with E(A, V.sub.n-1), and if they agree, the prover is accepted as valid or legitimate. If they do not agree, the prover is rejected as invalid and the processing ends.
When the prover is accepted as valid, the processing proceeds to the comparison of M.sub.n-1 with E(W.sub.n, V.sub.n-1); if they agree, W.sub.n is accepted as valid, and if they disagree, the user is rejected as invalid and the processing ends. When the prover is accepted as valid by these two verification steps, the verifier authenticates that W.sub.n-1, W.sub.n and M.sub.n-1 are all valid and, in step S6, sends contents data T to the user. Further, in step S7 the verifier newly registers W.sub.n, W.sub.n+1 and M.sub.n in place of the currently registered data.
As described above, the CINON method involves the use of two previously generated random numbers N.sub.n-1 and N.sub.n when the user gets authentication from the verifier. Hence, in the case of getting authentication of the verifier from a terminal at a visiting site, the user needs to use a storage medium which has stored therein the random numbers N.sub.n-1 and N.sub.n, such as an IC card. The terminal needs to have a random number generating function and an IC card read/write function.
On the other hand, there will be soon introduced on the market so-called Internet home appliances equipped with an Internet connection function, such as TV sets, word processors and portable terminal equipment (Arakawa and Kamata, "Information Network Revolution by Internet Home Appliances," Technical Report of IEICE, OFS96-1, pp. 1-6 (1996.5)).
As such Internet home appliances become widespread, there will grow a demand for contents transmission that involves authentication processing, but almost all of the Internet home appliances have no facilities or mechanisms for generating the afore-mentioned random numbers N.sub.n-1 and N.sub.n and writing them in and reading them out of an IC card or similar storage medium because their manufacturing costs are paramount. Besides, since the storage area for processing programs is limited, it is desirable that the authentication processing is realized or implemented with as simple and small-sized programs as possible.